.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "KASERVER 8" .TH KASERVER 8 "2021-12-09" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" kaserver \- Initializes the Authentication Server .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBkaserver\fR [\fB\-noAuth\fR] [\fB\-database\fR <\fIdbpath\fR>] [\fB\-auditlog\fR\ <\fIlog\ path\fR>] [\fB\-audit\-interface\fR\ (file\ |\ sysvmq)] [\fB\-localfiles\fR\ <\fIlclpath\fR>] [\fB\-minhours\fR\ <\fIn\fR>] [\fB\-servers\fR\ <\fIserverlist\fR>] [\fB\-enable_peer_stats\fR] [\fB\-enable_process_stats\fR] [\fB\-rxbind\fR] [\fB\-crossrealm\fR] [\fB\-help\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBkaserver\fR command initializes the Authentication Server, an obsolete way of providing authentication services to an \s-1AFS\s0 cell. It should no longer be used; instead, it should be replaced with a Kerberos version 5 \&\s-1KDC\s0. It is provided only for support of sites already running the Authentication Server and that have not yet migrated to Kerberos version 5. .PP For a cell using the Authentication Server, it runs on every database server machine. In the conventional configuration, its binary file is located in the \fI/usr/afs/bin\fR directory on a file server machine. .PP The \fBkaserver\fR command is not normally issued at the command shell prompt but rather placed into a file server machine's \fI/usr/afs/local/BosConfig\fR file with the \fBbos create\fR command. If it is ever issued at the command shell prompt, the issuer must be logged onto a database server machine as the local superuser \f(CW\*(C`root\*(C'\fR. .PP As it initializes, the Authentication Server process creates the two files that constitute the Authentication Database, \fIkaserver.DB0\fR and \&\fIkaserver.DBSYS1\fR, in the \fI/usr/afs/db\fR directory if they do not already exist. Use the commands in the \fBkas\fR suite to administer the database. .PP The Authentication Server is responsible for several aspects of \s-1AFS\s0 security, including: .IP "\(bu" 4 Maintenance of all \s-1AFS\s0 server encryption keys and user passwords in the Authentication Database. .IP "\(bu" 4 Creation of the tickets and tokens that users and servers use to establish secure connections. Its Ticket Granting Service (\s-1TGS\s0) component performs this function. .PP The Authentication Server records a trace of its activity in the \&\fI/usr/afs/logs/AuthLog\fR file. Use the \fBbos getlog\fR command to display the contents of the file. Use the \fBkdb\fR command to read the protected files associated with the \fIAuthLog\fR file, \fIAuthLog.dir\fR and \&\fIAuthLog.pag\fR. .PP This command does not use the syntax conventions of the \s-1AFS\s0 command suites. Provide the command name and all option names in full. .SH "CAUTIONS" .IX Header "CAUTIONS" The Authentication Server provides only Kerberos version 4, which is no longer considered sufficiently secure. It can only use \s-1DES\s0 encryption for user keys, is vulnerable to known flaws in the Kerberos version 4 protocol, and is based on protocols that are obsolete and no longer developed. The Authentication Server is also not widely tested and is known to have problems on some platforms OpenAFS otherwise supports. .PP The Authentication Server should not be used for any new deployment. It is provided only for sites that need to use it while preparing for a migration to Kerberos \s-1KDC\s0. No significant updates to the Authentication Server will be developed, and it will be removed from a future version of OpenAFS. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-noAuth\fR" 4 .IX Item "-noAuth" Assigns the unprivileged identity \f(CW\*(C`anonymous\*(C'\fR to the issuer. Thus, it establishes an unauthenticated connection between the issuer and the Authentication Server. It is useful only when authorization checking is disabled on the database server machine. In normal circumstances, the Authentication Server allows only authorized (privileged) users to issue commands that affect or contact the Authentication Database and will refuse to perform such an action even if the \fB\-noAuth\fR flag is used. .IP "\fB\-database\fR <\fIdbpath\fR>" 4 .IX Item "-database " Specifies the pathname of an alternate directory in which the Authentication Database files reside. Provide the complete pathname, ending in the base filename to which the \f(CW\*(C`.DB0\*(C'\fR and \f(CW\*(C`.DBSYS1\*(C'\fR extensions are appended. For example, the appropriate value for the default database files is \fI/usr/afs/db/kaserver\fR. .Sp Provide the \fB\-localfiles\fR argument along with this one; otherwise, the \&\fB\-localfiles\fR argument is also set to the value of this argument, which is probably inappropriate. .IP "\fB\-auditlog\fR <\fIlog path\fR>" 4 .IX Item "-auditlog " Turns on audit logging, and sets the path for the audit log. The audit log records information about \s-1RPC\s0 calls, including the name of the \s-1RPC\s0 call, the host that submitted the call, the authenticated entity (user) that issued the call, the parameters for the call, and if the call succeeded or failed. .IP "\fB\-audit\-interface\fR (file | sysvmq)" 4 .IX Item "-audit-interface (file | sysvmq)" Specifies what audit interface to use. Defaults to \f(CW\*(C`file\*(C'\fR. See \&\fIfileserver\fR\|(8) for an explanation of each interface. .IP "\fB\-localfiles\fR <\fIlclpath\fR>" 4 .IX Item "-localfiles " Specifies the pathname of an alternate directory in which the auxiliary Authentication Database file resides. Provide the complete pathname, ending in the base filename to which the \f(CW\*(C`auxdb\*(C'\fR suffix is appended. For example, the appropriate value for the default auxiliary database file is \&\fI/usr/afs/local/kaserver\fR. .IP "\fB\-minhours\fR <\fIn\fR>" 4 .IX Item "-minhours " Specifies the minimum number of hours that must pass between password changes made by any regular user. System administrators (with the \f(CW\*(C`ADMIN\*(C'\fR flag in their Authentication Database entry) can change passwords as often as desired. Setting a minimum time between password changes is not recommended. .IP "\fB\-servers\fR <\fIauthentication servers\fR>+" 4 .IX Item "-servers +" Names each database server machine running an Authentication Server with which the local Authentication Server is to synchronize its copy of the Authentication Database, rather than with the machines listed in the local \&\fI/usr/afs/etc/CellServDB\fR file. .IP "\fB\-enable_peer_stats\fR" 4 .IX Item "-enable_peer_stats" Activates the collection of Rx statistics and allocates memory for their storage. For each connection with a specific \s-1UDP\s0 port on another machine, a separate record is kept for each type of \s-1RPC\s0 (FetchFile, GetStatus, and so on) sent or received. To display or otherwise access the records, use the Rx Monitoring \s-1API\s0. .IP "\fB\-enable_process_stats\fR" 4 .IX Item "-enable_process_stats" Activates the collection of Rx statistics and allocates memory for their storage. A separate record is kept for each type of \s-1RPC\s0 (FetchFile, GetStatus, and so on) sent or received, aggregated over all connections to other machines. To display or otherwise access the records, use the Rx Monitoring \s-1API\s0. .IP "\fB\-rxbind\fR" 4 .IX Item "-rxbind" Bind the Rx socket to the primary interface only. (If not specified, the Rx socket will listen on all interfaces.) .IP "\fB\-crossrealm\fR" 4 .IX Item "-crossrealm" Enable cross-realm authentication. The use of this option is considered insecure, and thus strongly discouraged. See \s-1OPENAFS\-SA\-2003\-001\s0. .IP "\fB\-help\fR" 4 .IX Item "-help" Prints the online help for this command. All other valid options are ignored. .SH "EXAMPLES" .IX Header "EXAMPLES" The following \fBbos create\fR command creates a \f(CW\*(C`kaserver\*(C'\fR process on \&\f(CW\*(C`fs3.example.com\*(C'\fR (the command appears on two lines here only for legibility): .PP .Vb 2 \& % bos create \-server fs3.example.com \-instance kaserver \e \& \-type simple \-cmd /usr/afs/bin/kaserver .Ve .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" The issuer must be logged in as the superuser \f(CW\*(C`root\*(C'\fR on a file server machine to issue the command at a command shell prompt. It is conventional instead to create and start the process by issuing the \fBbos create\fR command. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIAuthLog\fR\|(5), \&\fIBosConfig\fR\|(5), \&\fICellServDB\fR\|(5), \&\fIkaserver.DB0\fR\|(5), \&\fIkaserverauxdb\fR\|(5), \&\fIbos\fR\|(8), \&\fIbos_create\fR\|(8), \&\fIbos_getlog\fR\|(8), \&\fIkas\fR\|(8), \&\fIkdb\fR\|(8) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.